Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information

MD5 - 57B224EC81AA9662A68AEDB5B050BF9B

SHA - 0F734696C65747F0AEAD1E3FF0F127100182723F

Aliases

Microsoft - Exploit:Win32/CVE-2009-3129

Sophos - Troj/DocDrop-S

Symantec - Trojan.Mdropper

TrendMicro - TROJ_EXPL.ARF

Indication of Infection

Methods of Infection

This threat exploits Microsoft Excel vulnerability. It may be mass spammed as e-mail attachments and requires the user to open the Excel document and click on a hyperlink embedded in an Excel worksheet.

Virus Characteristics

This exploit could be executed by opening specially crafted malicious Excel files and clicking on a hyperlink embedded in a worksheet, and the end result could vary between memory corruption to the silent installation of any number of viruses, trojans, and potentially unwanted programs.

When executed, the Trojan drops and executes the following malicious file:

%Temp%\1sass.exe

This Trojan drops the following clean file in the Temp folder and opens it in the Excel application.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).